CVE-2026-4336

Name of the Vulnerable Software and Affected Versions The Ultimate FAQ Accordion plugin for WordPress versions through 2.4.7

Description The Ultimate FAQ Accordion plugin for WordPress is susceptible to Stored Cross-Site Scripting through FAQ content. This occurs because the plugin uses html entity decode() on post content during rendering in the set display variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML. Insufficient output escaping in the faq-answer.php template, where the decoded content is echoed without wp kses post() or other sanitization, further contributes to the issue. The ufaq custom post type is registered with show in rest set to true and defaults to the post capability type, allowing Author-level users to create and publish FAQs via the REST API. An attacker with Author-level access or higher can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) that bypasses WordPress's kses sanitization at save time, but is then decoded back into executable HTML at render time. This allows the injection of arbitrary web scripts in FAQ pages that execute when a user accesses the injected FAQ, either directly or via the [ultimate-faqs] shortcode.

Recommendations Update to a version later than 2.4.7.